I don’t like writing scare pieces. But this one? It needs to be written.

Because if your team is deploying AI agents or leveraging AI desktop tools using the Model Context Protocol (MCP) and you’re not securing them with a gateway, you’re basically leaving the doors and windows open and walking away.

So, what is MCP and why should I care?

The Model Context Protocol (MCP) is like the glue that connects AI agents to outside tools and information. It lets an AI model talk to your CRM, hit your internal APIs, or fetch files on your system.

Sounds useful, right?

It is. That’s why so many teams, from startups to massive enterprises, are adopting it. MCP makes AI agents way more capable. It turns them into doers and not just talkers.

But there’s a catch.

MCP servers require security considerations

A recent security assessment by Equixly looked at dozens of popular MCP implementations. The results weren’t promising:

• 43% had command injection flaws
• 30% allowed Server-Side Request Forgery (SSRF is basically letting attackers poke around your internal network)
• 22% exposed arbitrary file read vulnerabilities
• Only 30% of vendors even patched the issues when they were told

Worse? Some vendors claimed these risks were “theoretical” or “acceptable.” That’s like a car company saying exploding airbags are “edge cases”, and only happen when there’s an accident.

These are not theoretical. They’re real. And they’ve already caused real-world incidents.

The hacks are creative and terrifying

Let’s break down what’s happening out there:

• Prompt Injection: Attackers can sneak commands like “IGNORE ALL PREVIOUS INSTRUCTIONS” into API responses. Your AI agent happily obeys.
• SQL Injection: Old-school attack, new playground. Some MCP servers let you drop malicious SQL into prompts and exfiltrate data.
• Cross server shadowing: MCP metadata or responses change how the AI interacts with other servers.
• Server Spoofing/Tool Mimicry: MCPs trick the AI into using the wrong servers & tools.
• Authentication Bypass: Some servers don’t verify who’s calling. Others let you register rogue MCP endpoints and impersonate trusted tools.
• Tool Poisoning: A tool looks safe at install. Then one day, it updates silently and starts stealing data.
• Rug Pulls: Third-party MCP packages switch behavior after getting adopted widely—just like malicious npm packages have done for years.

This isn’t speculation. It’s already happened as detailed in security investigations from Composio and Equixly:

• One attack chain exposed Asana data via unsecured MCP endpoints
• Another let attackers run remote commands on public-facing servers
• One even granted access to private GitHub repos through a compromised MCP tool

Here’s what actually works: The MCP Gateway

Gateways act like bodyguards for your AI agents.

They sit between the AI client and the MCP server. Every request goes through the gateway. Every response does too.

The idea is simple: Centralize security. Remove trust from the server layer. Lock everything down.

Here’s how they help.

1. They handle identity properly

• Full OAuth 2.0/2.1 support
• Short-lived tokens (so even if someone grabs one, it’s useless soon)
• Role-based access control
• Integration with enterprise identity systems like Okta, Azure AD

Your AI agents don’t manage auth. The gateway does. That’s safer and way easier to manage.

2. They validate and sanitize everything

This is the magic. The gateway checks:

• Are prompts malicious?
• Is someone trying to inject SQL or shell commands?
• Are any tool descriptions poisoned?

It also strips out anything sketchy. Think of it like a metal detector for every request.

Some even use machine learning to detect suspicious prompts.

3. They audit, monitor, and alert

Every request. Every response. Logged.

You can get real-time alerts when something fishy happens. You can plug into your SIEM. You can see what tools were called, by whom, when, and how.

This isn’t optional anymore. It’s table stakes for enterprise deployment.

4. They lock down the tool supply chain

Before a tool is allowed through the gateway, it’s scanned:

• What’s the source?
• How popular is it?
• Has it ever been flagged?
• Is the repo still active?

Tools that fail checks can be blocked automatically.

If you’re not scanning tools, you’re just waiting to be breached.

So who’s building these gateways?

There are a number of gateway solutions now available, offering different levels of security, specialization, and enterprise readiness. Below are several strong options:

Enkrypt AI Secure MCP Gateway

Offers dynamic tool discovery, built-in prompt sanitization, and enterprise-grade authentication for secure MCP deployments.

• Built‑in security scans
• Dynamic tool discovery
• Works with enterprise authentication
• Performance‑optimized

Lasso Security MCP Gateway

Focuses on threat prevention with:

• Plugin architecture
• Server and tool risk scoring
• Automated blocking of high‑risk components

WAV Group Gateway Template (Real Estate Focus)

WAV Group offers a Gateway Template designed for real estate brokerages and MLSs. Key features:

• Prompt sanitization tailored for real estate contexts
• Guardrails for private client/buyer/seller data
• Role‑Based Access Control (RBAC) at agent/user levels
• Audit logging specific to real estate workflows
• MLS API integration controls and PII masking for real estate data
• Designed as a template clients can adopt to deploy secure, compliant AI agents in real estate environments

Obot MCP Gateway

Obot is an open‑source gateway focused on enterprise requirements. Some of the features:

• Admin control plane: IT can onboard MCP servers, define access policies, manage users/groups, monitor usage. 
• Catalog / discovery: A searchable directory of approved MCP servers, documentation, trust/reputation information. 
• Proxying & hosting: Support for both local and remote MCP servers; ability to proxy third‑party ones with audit and routing control. 
• Access control + logging: Role‑based access, enterprise auth integration (Okta etc.), audit logs for MCP‑client/server interactions. 

Kong Konnect / Kong AI Gateway

Kong is more known as an API gateway, but it’s also building out MCP support and gateway‑style features. Key capabilities:

• Kong Konnect MCP Server: Enables MCP clients (e.g. Claude) to query APIs, configuration, analytics via Kong’s control plane. 
• Securing & governing MCP traffic: Kong’s AI Gateway offers plugins and policies for authentication (OIDC / Key Auth), rate limiting, prompt filtering (guardrails) etc. 
• Observability: Metrics, logging, tracing for MCP traffic. 

What should your team do right now?

If you’re deploying MCP servers, or building on top of them, here’s a basic security checklist:

• Set up a gateway (before anything goes live)

This is non-negotiable. Even for internal tools.

• Use proper auth

Hook into OAuth. Integrate with your identity provider. Don’t hand-roll this.

• Validate inputs and outputs

Use JSON schemas. Sanitize tool responses. Strip out embedded commands.

• Lock down your network

Log everything. Store audit trails. Send alerts when strange stuff happens.

• Don’t trust tools blindly.

Scan them. Review their source. Watch for updates. Use a reputation system.

The future isn’t secure by default

MCP is a powerful idea. But it’s dangerously naive out of the box and can expose your most valuable asset, your data.

Vendors are moving fast. Too fast. And when 43% of servers have command injection flaws, you don’t get to say “well, we trust our stack.”

You lock it down. You build defensively. You audit, scan, and restrict.

This isn’t optional if you’re serious about deploying AI in production.

And finally: stop hoping and start securing

Hope is not a security strategy. “No one would ever target us” is how breaches happen. “It’s just a proof of concept” becomes a Common Vulnerabilities and Events (CVE).

The MCP ecosystem is still young. That means you get to choose your architecture now before someone else chooses it for you via an incident report.

So choose wisely.

Start with a gateway.

The post The Hidden Risk in MCP Servers That Could Expose Your Business appeared first on WAV Group Consulting.

Recent events have made it crystal clear: 8-character passwords are no longer enough to protect an account. With today’s computing power even a complex 8-character password can be cracked in as little as two minutes.

Cotality’s recent announcement to mandate Multi-Factor Authentication (MFA) isn’t just a policy update: It’s a wake-up call for our entire industry. 

In a recent phishing attack, 48 Matrix user accounts from 13 MLSs were compromised, and here’s the sobering reality: 47 of the compromised user accounts lacked MFA; the one account with MFA was accessed via a stolen device.

The numbers don’t lie. MFA works.

As Cotality’s Kevin Greene puts it perfectly: “From banking to health care to online shopping, MFA has become table stakes. It’s not optional any longer, it’s essential.”

Key dates every MLS should have circled: 

1. October 31st: System-wide MFA must be enabled
2. November 3rd: CAPTCHA challenges begin for non-compliant systems
3. December 31st: All Matrix accounts must have an IDP implemented

This isn’t about compliance. It’s about protecting the trust your members place in you every single day. When agents can’t access critical tools or face constant security challenges because we didn’t prioritize basic cybersecurity, we’ve failed them.

My challenge to every MLS executive: Don’t wait until October 30th. Implement MFA now. Your agents, your data, and your reputation depend on it.

Read Cotality’s full announcement here: https://www.cotality.com/resources/article/cotality-mandates-mfa-requirements-for-all-matrix-customers

What security measures is your MLS implementing beyond the minimum requirements? The time for “good enough” cybersecurity is over.

The post MLS Leaders: The Security Bar Has Been Raised. And It’s About Time appeared first on WAV Group Consulting.

This week, Cotality and FBS asked real estate professionals in about 15 different MLS markets to reset their passwords. There was no mention of the issue from ICE (Paragon) or Rapattoni or others – but you can bet your bottom dollar that everyone was impacted by this. To be clear, nobody was hacked, rather, nefarious people stole (or were given) the usernames and passwords to log into the MLS as an agent. 

Cause of the problem: Agents were not protecting their passwords. MLSs made the choice not to require muti-factor authentication in their system. This had nothing to do with security or best practices at Cotality or FBS. 

Let’s be honest, many agents probably overreacted to this inconvenience. A number of MLS help desks had a surge of calls. But let’s also put it into perspective: resetting a password isn’t exactly a monumental event in anyone’s life. Sure, it’s annoying, it takes a few minutes, and then you move on. Most importantly, you should not need to call a help desk to teach you how, or to complain that the same password you have used for the past 25 years needs to be reset. Real estate agents need to take security more seriously. 

Dealing with this minor inconvenience is vastly better than dealing with a data breach or a system outage, which was not the case here. Real estate professionals frequently handle sensitive client data in the MLS behind a password, and unfortunately, the reality is that many agents aren’t exactly diligent about password management. Remember too, the MLS is not only your system. It is the system shared with all brokers in your market and the consumers we all serve. Simply put, if you can easily remember your password, or you use it in multiple software applications, it’s probably not secure enough.

It looks to me like this issue was caused by two things. First, agents exposed their passwords or reused passwords that were in some other security breach (probably Microsoft SharePoint). Secondly, MLSs choose not to deploy two-factor or Multi-factor Authentication for login.

Here is what Stellar MLS posted today: “Thanks to our proactive security protocols, most notably the recent implementation of multi-factor authentication (MFA), Stellar MLS customers were not impacted,” said Merri Jo Cowen, CEO. 

In other words, Stellar made the right choice to force multifactor authentication and they were not impacted! Other MLSs should use this opportunity to make the same choice.   

To keep your data—and your clients’ data—secure, here are some simple, practical tips:

1. 1. Use unique passwords: Don’t reuse the same password everywhere. Each service or platform deserves its own unique password.
   2. Choose strong passwords: Aim for at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols. Avoid obvious choices like names, birthdays, or common words.
   3. Use a password manager: A good password manager securely stores all your passwords and can automatically create strong, random passwords for you.
   4. MLSs should Enable Multi-factor authentication: This adds an extra security layer by requiring two forms of verification to access your account. For example, after entering your password when logging into your bank account, you might receive a text message or email with a unique code that you also have to enter to complete the login.
   5. Change passwords regularly: Get into the habit of updating passwords every few months.
   6. Update your security policies: for employees, agents, and in your applications.
   7. Check your insurance coverage

The password reset last week might have disrupted your morning coffee or thrown off your daily routine, but it’s actually a best practice. Take this opportunity to tighten up your digital security, it might save you from much bigger headaches down the road.

Stay tuned for more practical cybersecurity tips for real estate professionals. Cyber Security month is in October. Brokers, MLSs, and tech vendors can save themselves a lot of grief by training agents on best practices with security.

Below are two excellent articles from Florida Realtors Tech Helpline that are excellent reading: 

Why You Need to Say “Yes” to Multifactor Authentication

Protect Your Data From Online Threats: 4 Ways to Keep Clients & Family Safe

The post MLS Forced Password Reset appeared first on WAV Group Consulting.

As a technology consultant, I find it surprising that many clients have yet to adopt a business-class password manager. I am continually exposed to passwords from their corporate applications and vendor product integrations held by individuals within the organization.

I’ve seen API keys stored in unencrypted files in Google Drive, Dropbox, or Microsoft OneDrive. The worst is when I see .pem, .key, or .pfk files accessible via the same file storage as API keys. These files allow access to critical parts of the corporate infrastructure and usually provide Administrators with access to business systems.

The Risk of Unknown Passwords

All it takes is one phishing breach, and bang, the door is opened for the bad actors to take advantage of the system. Phishing attacks account for over 90% of the security breaches, according to the Cybersecurity and Infrastructure Security Agency (CISA)

With the rise of cyber-attacks and data breaches, it is more crucial than ever for companies to prioritize strong password management practices. This includes using a business-class password manager, enabling two-factor authentication, implementing strong passwords, and updating passwords regularly.

One of the most significant challenges in password management within organizations is when an employee leaves or changes positions. Retrieving passwords and revoking access for former employees is time-consuming and inefficient without a centralized password manager.

This not only poses a security risk, but also disrupts workflow when new employees join the organization.

Strong password management can protect corporate systems and data as well as employees’ personal information. With many individuals using the same password for multiple accounts, a data breach at work could potentially lead to compromised personal accounts.

By implementing secure password practices within the workplace, companies can also help their employees protect their personal information.

I have compiled an analysis of the top five password managers that excel at managing passwords, API keys/secrets, and PEM files while offering robust access control.

1Password – Business & Enterprise

1Password offers a comprehensive solution that is easy to use across all devices. It supports the management of passwords, API keys, and secure notes (which can store PEM files).

1Password’s standout features include its slick user interface, seamless autofill capabilities, and robust sharing functionalities. It also features a Travel Mode that temporarily removes sensitive data from devices while crossing borders. The product offers security features for software development, such as eliminating credential storage in code, securing the deployment pipeline, and enabling push, pull, and commits to code repositories.

This password manager is highly secure, with no reported prior data breaches to its systems. It also provides various handy features, like secure file storage and login autofill.

Benefits

• Supported Browser Extensions: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and Safari
• Audit security logs
• Customizable access control policies
• SOC2 Type 2 compliant
• GDPR, CCPA compliant
• Two-factor authentication – Supports Microsoft Authenticator, Authy, and Okta Verify.
• Account recovery
• SSO Integration with Azure AD (Microsoft 365) and others – Enterprise only.
• Admin controls to manage employees, permissions, and delegate responsibilities
• Advanced reporting for compromised employee emails and vulnerable passwords
• Free family accounts for all employees – Enterprise Only
• 24/7 dedicated business support
• Available on Mac, iOS, Windows, Android, Chrome OS, and Linux

Pricing

Business = $19.99/mo for up to 10 users

Enterprise = $7.99/user/month (billed annually)

Bitwarden – Business Team and Enterprise

Bitwarden is the only open-source password manager out of this selection. It offers a free version with unlimited password storage and device syncing. It’s highly secure and audited annually by third-party cybersecurity firms.

Bitwarden also provides an Enterprise plan. It supports the safe storage of passwords and notes, which can be used to manage API keys and PEM files. Its Enterprise plan includes features like vault health reports, emergency access, and advanced multifactor authentication options.

Bitwarden uses 256-bit AES encryption and passed a third-party security audit. However, FlashPoint’s March 2023 report found a vulnerability in Bitwarden’s auto-filling feature that could allow malicious iframes to steal user credentials from legitimate sites.

Bitwarden had been aware of this vulnerability for years, but whether they addressed the root cause remains unclear. For safety reasons, the auto-fill feature is disabled by default.

Benefits

• Supported Browser Extensions: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and Safari
• Audit security logs
• Customizable access control policies
• SOC2 Type 2 compliant
• GDPR, CCPA compliant
• Basic two-factor authentication with various authenticator applications – Organization authentication with DUO is available for Enterprise licenses.
• Account recovery
• SSO Integration with Azure AD (Microsoft 365) and others – Enterprise only.
• Admin controls to manage employees, permissions, and delegate responsibilities
• Advanced reporting for compromised employee emails and vulnerable passwords
• Free family accounts for all employees – Enterprise Only.
• There is a self-hosted option is available.
• 24/7 dedicated business support
• Available on Mac, iOS, Windows, Android, Chrome OS, and Linux

Note: For Vivaldi, Brave, and Tor, only the most recent version of the browser extension is supported. The Safari browser extension is packaged with the desktop app and is available for download from the macOS App Store.

Pricing:

Teams = $4.00/user/month (billed annually)

Enterprise = $6.00/user/month (billed annually)

Keeper

Keeper provides a secure password and secret management environment suitable for individual and enterprise use. It offers robust features such as secure file storage, which can be used to manage PEM files, and a user-friendly interface for controlling access to passwords and API keys.

Keeper also includes features like dark web monitoring and strongly emphasizes security with its zero-knowledge architecture. There are no known breaches of their platform.

Benefits:

• Supported Browser Extensions: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and Safari
• Audit security logs
• Customizable access control policies
• BreachWatch scans the dark web for stolen credentials and alerts users if their information is compromised.
• Basic two-factor authentication with various authenticator applications.
• Account recovery 
• SSO Integration with Azure AD (Microsoft 365) and others – Enterprise only.
• Admin controls to manage employees, permissions, and delegate responsibilities
• Advanced reporting for compromised employee emails and vulnerable passwords
• 24/7 dedicated business support
• Available on Mac, iOS, Windows, Android, Chrome OS, and Linux

Pricing:

Business: $3.75/user/month (billed annually)

Enterprise: Need to quote

Dashlane

Dashlane is known for its strong security credentials and ease of use. It supports the storage of passwords and secure notes, which can be used for API keys and PEM files.

Dashlane’s features include a built-in VPN for additional online security and dark web monitoring to alert users to potential data breaches. It also offers robust access control features, making it a good choice for businesses looking to manage those with access to certain types of sensitive information.

Another feature is the automatic password changer. This feature will change passwords on your websites with one click. When someone leaves the company, it’s a great tool, and you must remove access to website applications.

Benefits:

• Supported Browser Extensions: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and Safari
• Audit security logs
• Customizable access control policies
• Built-in Virtual Private Network (VPN)
• Automatic Password Changer
• Basic two-factor authentication with various authenticator applications.
• Account recovery 
• SSO Integration with Azure AD (Microsoft 365) and others – Enterprise only.
• Admin controls to manage employees, permissions, and delegate responsibilities
• Advanced reporting for compromised employee emails and vulnerable passwords
• 24/7 dedicated business support
• Available on Mac, iOS, Windows, Android, Chrome OS, and Linux.

Pricing:

Business: $8.00/user/month (billed annually)

Enterprise: Need to quote

ManageEngine Password Manager Pro

This tool suits enterprise environments where managing resource access is crucial. It offers extensive access control features, including role-based access controls and automated workflows for password access, which are essential for securely managing API keys and PEM files. Password Manager Pro allows for detailed audit trails and real-time alerts on password access, providing high security and compliance.

Benefits:

• High-end scalability
• Comprehensive audit trails
• Real-time alerts
• Windows Password Manager
• Supported Browser Extensions: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and Safari
• Audit security logs
• Customizable access control policies
• Basic two-factor authentication with various authenticator applications.
• Automated Password Changes
• Password Policy Governance
• Account recovery 
• SSO Integration with Azure AD (Microsoft 365) and others – Enterprise only.
• Admin controls to manage employees, permissions, and delegate responsibilities
• Advanced reporting for compromised employee emails and vulnerable passwords
• 24/7 dedicated business support
• Available on Mac, iOS, Windows, Android, Chrome OS, and Linux.

Pricing:

Need to request a quote

Summary

These password managers are selected based on their ability to securely manage not only passwords but also other sensitive information like API keys and PEM files, coupled with their robust access control mechanisms to manage who has access to these resources.

When we conduct technology audits for your company, we investigate and report on various areas. Most importantly, you will understand how your organization manages access to essential operational systems.

In summary, effective password management is crucial for maintaining your organization’s security and efficiency. Therefore, a centralized password manager streamlines employee access and significantly reduces the risk of data breaches. We discussed how security by design goes a long way to protect from unwanted breaches.

WAV Group conducts comprehensive technology audits to evaluate your current systems and recommend top-notch solutions for securing your sensitive information. Contact us today to ensure your company is safeguarded against potential security threats.

The post Are Your Systems Safe: My Top 5 Password Managers appeared first on WAV Group Consulting.

However, the winds of change are blowing through the digital landscape, and Google Chrome, the world’s dominant browser, is leading the charge toward a privacy-first future. Its plan? To phase out third-party cookies entirely by the end of 2024.

Note: As of October 2023, Google Chrome has the highest browser share in the United States at 51.94%. Safari at 29.29%, Edge at 8.67%, and Opera at 4.4%.

So, how exactly is Google accomplishing this cookie crackdown? So, Buckle up real estate marketers, because it’s about to get technical!

The Chrome Blockade

Anthony Chaves, who is the VP of Privacy Sandbox at Google, announced in his article titled “The next step toward phasing out third-party cookies in Chrome” that,

“… January 4, we’ll begin testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. We’ll roll this out to 1% of Chrome users globally, a key milestone in our Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024, subject to addressing any remaining competition concerns from the UK’s Competition and Markets Authority. “

Tracking Protection

Currently in its testing phase, this feature restricts third-party cookies by default for a small percentage of Chrome users. As the rollout expands, websites’ ability to track users across different domains will be severely limited. So, be aware your tracking reports will start

Privacy Sandbox

This umbrella term encompasses Google’s alternative solutions for targeted advertising and user measurement without relying on third-party cookies. These solutions are still under development by Google and the broader web community.

Some proposed technologies include:

• Topics API – This assigns users broad interest categories like “sports” or “travel” based on their browsing activity, instead of specific website visits.
• Federated Learning of Cohorts (FLoC) – Cohorts are groups of users with similar browsing habits, and ads are targeted to these groups without revealing individual data.
• Trust Tokens – Websites issue encrypted tokens to users as proof of identity, reducing the need for third-party tracking.

Key Insights for Real Estate Marketers

The blocking of third-party cookies presents both challenges and opportunities for real estate marketing. Here are five crucial insights to navigate the changing landscape:

• Embrace First-Party Data by cultivating a robust first-party data strategy through website analytics, CRM integrations, and loyalty programs. Leverage this data for personalized marketing campaigns and audience segmentation, all within the bounds of user privacy.
• Contextual targeting takes center stage through continuous investment into contextual targeting platforms that rely on website content and user behavior signals rather than cookies. This allows you to deliver relevant ads based on the current browsing context. This would be like showcasing luxury listings on real estate search pages.
• Build trust and direct relationships with potential buyers and sellers. Use email marketing, social media engagement, and targeted content marketing to curate leads and convert them into loyal clients.
• With mobile dominating real estate searches, it’s crucial to optimize your website and marketing efforts for mobile-first. It’s surprising to see many people still focusing on desktop view when designing and messaging their advertising assets. Make sure you prioritize mobile to stay ahead in the game. Consider location-based targeting to reach users actively searching for properties in specific areas.
• Experiment with Privacy Sandbox Solutions by staying informed about the evolving Privacy Sandbox initiatives and experimenting with the available APIs and tools. Early adoption can give you a head start in the new privacy-focused advertising landscape.

What are the key differences between third-party cookies and first-party cookies?

The key difference between third-party cookies and first-party cookies lies in who creates and uses them.

First-party cookies

• Created by the website you’re visiting (the “first party”).
• Stored on your device by the website’s domain.
• Used by the website to remember your preferences, keep you logged in, track your activity on the site, and personalize your experience.
• Generally considered less intrusive because they don’t share data with other websites.

Third-party cookies

• Created by a domain other than the website you’re visiting (the “third party”).
• Often placed on your device by embedded code from advertising or analytics companies.
• Can follow you across different websites that use the same third-party code, building a detailed profile of your browsing habits.
• Used for targeted advertising, retargeting, and cross-site analytics.
• Raise more privacy concerns because they can track your activity across multiple domains without your explicit knowledge.

Summary

While Google’s third-party cookie phaseout may seem daunting, it also presents an opportunity for real estate marketers to refine their strategies and prioritize user privacy. Embrace first-party data, invest in contextual targeting, and build direct relationships to thrive in the privacy-first future. Remember, the focus is shifting from intrusive tracking to building trust and delivering value. Embrace this change, and unlock the potential of a more sustainable and ethical approach to real estate marketing.

This article is designed to be informative and actionable, but it’s important to stay updated on the latest developments in Google’s Privacy Sandbox and adapt your strategies accordingly. Don’t hesitate to seek further resources and guidance from qualified SEO and marketing professionals or contact David Gumpper of the WAV Group.

The post Third-Party Cookies Do Crumble With Google Chrome’s Privacy Shift appeared first on WAV Group Consulting.

It is precisely the kind of protection MLSs need and must have in place. It uses artificial intelligence and machine learning for its adaptive authentication protection. It can identify suspicious activity and, most importantly, selectively deploy multi-factor authentication. By monitoring login activity in real time, it can automatically detect when login exceeds an acceptable risk threshold.

Last year was a wakeup call for MLSs and security. The timing by CoreLogic could not be better.

Cyberattacks are surging, and not just in real estate. According to a new report by MIT Professor Stuart Madnick, there were more ransomware attached in the first nine months of 2023 than in all of 2022.

The report notes that “ransomware attacks increased to levels never seen before while also becoming more sophisticated and aggressive. Hackers are becoming more organized, often through ransomware gangs. Their attacks are also more threatening and more likely to target organizations with sensitive data…”

In the current ransomware crosshairs is the real estate industry: news reports have documented major disruptions for over 100 MLSs, title companies, home builders, and more. No sector in real estate is immune, and preparation is the key.

Clariety, purchased by CoreLogic in 2017, has been the gold standard in real estate security for decades. Leveraging the power of AI, CoreLogic is offering one of the best ways MLSs can protect themselves from the growing and more sophisticated aggressions of bad actors.

By using one of the newest and most advanced ways to instantly deter unauthorized users, bots and deceptive login attempts, MLSs can protect their members/subscribers and their clients by preserving the integrity of their MLS systems and data.

Read the full news release from CoreLogic here:

CoreLogic Unveils Clareity Assure for Advanced MLS Security featuring Adaptive Authentication

Clareity Assure helps protect real estate agent and client data

IRVINE, Calif., January 10, 2024 — CoreLogic announced today a new offering to its Clareity security solutions for Multiple Listing Services by launching Clareity Assure, now available to all MLSs. The new, advanced security platform features adaptive authentication and leverages multi-factor authentication to offer MLSs a highly fortified defense to protect its data and infrastructure against escalating cyber threats.

Clareity Assure uses adaptive authentication with built-in artificial intelligence and machine learning to identify suspicious activity and selectively deploys multi-factor authentication when a login risk level exceeds an acceptable risk threshold. This offers MLSs one of the newest and most advanced ways to deter unauthorized users, bots and deceptive login attempts in real time. By preserving the integrity of MLS systems and data, Clareity Assure also protects real estate professionals and their clients.

“Security is one of the top issues on the minds of every MLS leader today,” said Shaleen Khatod, Executive, Enterprise Strategy & Initiatives for CoreLogic. “CoreLogic is re-writing the MLS defense book for safeguarding MLS systems and data against threats like ransomware and cyber-attacks. This includes Clareity Assure adaptive authentication meticulously analyzing user behavior patterns. It can identify and stop bad actors while ensuring authorized users get the safe, secure and frictionless access they need.”

Because CoreLogic’s Clareity Assure security solution is already integrated into more than one thousand of the most common software tools used by real estate agents, the onboarding process for MLSs to add Clareity Assure with its Single Sign On (SSO) Dashboard can be done quickly and hassle-free. The security platform is available to all MLSs, regardless of if they use Clareity’s SSO Dashboard.

“Clareity Assure provides MLS leaders and their subscribers peace of mind that their systems are resilient against existing and evolving threats,” said Khatod, adding, “Clareity Assure is an essential part of a comprehensive security strategy, providing the highest level of security to safeguard the data and applications that drive their business.”

The number of ransomware victims globally increased 143 percent during the first quarter of 2023, according to a new report from insurer Alliance Commercial. The study estimates the annual cost of ransomware to victims will soar to $265 billion annually by 2031.

For more than 15 years, Clareity security offerings from CoreLogic have been the industry standard for cutting-edge, modern security solutions.

Clareity Assure is available now for all MLSs. More information is available on the CoreLogic website at https://corelogic.com/clareity.

About CoreLogic
CoreLogic is a leading provider of property insights and innovative solutions, working to transform the property industry by putting people first. Using its network, scale, connectivity, and technology, CoreLogic delivers faster, smarter, more human-centered experiences that build better relationships, strengthen businesses, and ultimately create a more resilient society. For more information, please visit www.corelogic.com.

CoreLogic, the CoreLogic logo, and Clareity Assure are trademarks of CoreLogic, Inc. and/or its subsidiaries. All other trademarks are the property of their respective owners.

The post AI is a vital part of CoreLogic’s new Clareity Assure security platform for MLSs appeared first on WAV Group Consulting.

In today’s digital age, cybersecurity has finally become a top priority for organizations across all industries. Especially in real estate after last year’s events. Cyber threats are becoming more sophisticated by the day, and data breaches can have devastating effects on businesses. 

Despite this, many organizations still take a reactive approach to cybersecurity, only implementing security measures after a breach. 

However, there is a better way to approach cybersecurity – one that offers greater protection against attacks and reduces the risk of data breaches. This approach is known as Security by Design.

A friend of mine who is a chief information security officer for a real estate brokerage was discussing last year’s incident and his achievement of SOC-2 compliance. During our conversation, he mentioned how implementing Security by Design was crucial to achieving SOC-2 compliance. 

We discussed how Security by Design involves incorporating security measures at every part of an organization rather than adding them as an afterthought. He said implementing Security by Design enables organizations to recognize and mitigate potential security risks early on, therefore ensuring compliance with industry standards and SOC-2. That raised another question for me.

What is Security by Design?

I learned that Security by Design is a proactive approach to cybersecurity that involves integrating security measures into an organization’s operations and culture from the ground up. 

Instead of treating security as an afterthought, Security by Design requires security to be an integral part of an organization’s design and development processes. This helps to create a more secure foundation for an organization’s digital infrastructure, making it less vulnerable to cyber threats. A practice I have been taking for a long time within my own environments.

How does Security by Design work?

Security by Design involves a range of practices and techniques that help to embed security into an organization’s culture. These include things like adopting a risk management approach to security: 

• By integrating security into the software development life cycle
• Providing regular security training and education to employees
• Regularly updating and patching systems to address vulnerabilities. 

By making security a part of an organization’s DNA, it becomes much more difficult for cybercriminals to exploit weaknesses in an organization’s security measures.

Why is Security by Design important?

The importance of Security by Design cannot be overstated. Cyber threats are growing in sophistication, and the consequences of a data breach can have a devastating impact on businesses and their customers.

The financial cost of a data breach can be significant, and damage to an organization’s reputation can is more difficult to recover from. 

By adopting a Security by Design approach, organizations can significantly reduce the risk of cyber-attacks and mitigate the impact of data breaches if they do occur.

How do I Benefit from Security by Design?

Adopting a Security by Design approach offers a range of benefits for your organization. It helps to create a more secure floor for an organization’s digital infrastructure, reducing the risk of data breaches and cyber-attacks. It can also help to reduce the cost of cybersecurity by preventing breaches before they occur and minimizing the impact of breaches that do occur — it is not a question of if a breach occurs, it is when.

In addition, it can improve an organization’s brand reputation, product, or services. It is a demonstration of your commitment to security and data protection.

How to Implement Security by Design?

Implementing Security by Design takes a lot of work to implement and maintain. The whole approach requires a fundamental shift in how organizations approach cybersecurity. There are a range of best practices and techniques that organizations can adopt to embed security into their operations and culture. These include things like:

•  Conducting regular security audits
• Adopting a risk management approach to security
• Integrating security into the software development life cycle
• Providing regular security training and education to employees
•  Regularly updating and patching systems to address vulnerabilities. 

By implementing these best practices in a strategic and coherent way, organizations can make Security by Design an integral part of their culture.

Be Proactive!

In today’s digital age, cybersecurity should be a top priority for all organizations. According to Verizon’s 2023 Data Breach Investigative Report, over 74% of data breaches are cause by human actions. These are either through social engineering or phishing scams that continue to innovate on fooling their victims for access to an organizations data vault. 

A reactive approach to cybersecurity is no longer enough. Adopting a proactive Security by Design approach is essential to mitigate the risks associated with cyber threats. Leverage an IT Services or Managed Service Provides organization that offers cybersecurity services. They can at least assist in monitoring your digital environment. If you need assistance evaluating any services or having a conversation about Security by Design, call me, David Gumpper.

By embedding security into an organization’s culture and operations from the ground up creates a more secure foundation for its digital infrastructure and significantly reduces the risk of data breaches and cyber-attacks. 

Implementing Security by Design requires a fundamental shift in how organizations approach cybersecurity, but the benefits are clear – greater protection against cyber threats, reduced risk of data breaches, and a more secure future for businesses and their customers.

The post The Future is Secure: Understanding the Importance of Security by Design appeared first on WAV Group Consulting.

DirecTV did not call her.

It was someone trying to scam her out of $300. 

The scary part – it was really convincing.

However, she knew to second guess the caller before providing her information. Why? Because it is something we have talked about as a family. The FTC reported that Americans lost billions of dollars in 2021 from scams. 

Americans are not the only ones losing billions of dollars because of scams. So are businesses. The exact dollar figures are not important. What is important is what you should be doing to protect your MLS, brokerage, and association. You must start with the first layer of defense against scams, educating your people.

Start with educating yourself and your staff. 

I’m not saying it is that simple, but the reason phishing scams work so well is that they are designed to target even the brightest people. Some scams are more obvious than others. 

Here is a phishing scam that someone tried recently targeting WAV Group Facebook page and its followers: 

This one seems fairly obvious that it is a scam. But they wouldn’t be doing it if it didn’t work at least some of the time. You must stay diligent even when your team says “Yeah, yeah I know.”  

Our data and technology experts at WAV Group have helped many clients over the years examine their technology stacks and consult with their staff to keep the scammers out.  If you would like an expert to examine the vulnerabilities of your digital platforms or get help educating your team on the dangers lurking in their inbox, cell phone, text messages and social media, WAV Group is here to help. David Gumpper our digital security expert will be happy to help protect your team and your company from disaster. 

Click here and we will be happy to schedule a time to talk to you. 

The post Start with training and education to defend yourself and your organization from phishing scams. appeared first on WAV Group Consulting.

Basics

Ransomware is software code that criminals use to break into your network, find critical information, and lock that information or encrypt it so you cannot access it without the encryption key. The criminals make you pay them – typically in some form of crypto-currency – to gain access to the locked data. Sometimes they go even further by demanding that you pay extra not to have your data published on the dark web where other criminals can access it for harmful causes.

How hackers hack

For the most part, hackers use methods that fool people into giving them access to systems. Knowing the popular methods that hackers use to do this is a helpful way to avoid being compromised.

Email and text phishing –

This hacking method has been around for a long time. The hacker cloaks the email address or a text message of the sender to make it look familiar. The email you get might be masked as the name of a co-worker who asks you to click a link or download an attachment that contains the malware. You might see a text message from Netflix telling you that your subscription requires renewal and to “click here to update your card on file,” Sometimes, hackers use this method to also gain access to your email account to send out emails from your address to spread the infection.

Remote Desktop Protocol (RDP) –

Have you ever needed to grant access to your computer for technical support? This functionality which enables you to get remote support also creates a backdoor for hackers to gain access to your computer. Usually, they will use methods to try to hack your computer’s username and password either through trial and error, or by purchasing usernames and passwords that are published about you on the dark web. Experian offers a free dark web scan if you want to understand what information about you is on the dark web; chances are there is much more out there than you might expect.

Software vulnerabilities –

Software is often the culprit in allowing hackers to gain access to your information. The developer of software that you use might have software vulnerabilities in their code that allows hackers to access your information through the software that you install. Remember the ‘Zoom Bombing’ that happened frequently during the early days of the pandemic? Don’t worry, most of the Zoom vulnerabilities were fixed in the spring of 2020. But in the early days of Zoom, this was a concern. Be careful when you install new software.

Online surfing –

Sometimes simply clicking a digital ad or visiting a web site that’s embedded with malware can infect your system.

Defending yourself

Your company should have a comprehensive ransomware prevention and recovery strategy, as well as a periodic audit to make sure that you are following best practices.

Data backups –

Regularly backing up your data will allow you to restore from a backup if you are hacked. Best bet is to physically store your backups offline and test your back up from time to time. Some security experts refer to the 3-2-1 strategy – Have 3 copies of your data, 2 different mediums – (one hard drive, one USB), and store at least 1 copy off site (Google Cloud, Amazon, etc.)

Training –

As mentioned above, most hacks are a result of user error; like falling for a scam that allows hackers access to information. The best way to close this security vulnerability is through regular training; like performing simulated hacking, such as email phishing simulations.

Apply security patches –

Companies are constantly updating their software to apply security patches that harden your network against common attacks. The failure to apply these updates will often leave you vulnerable to hacking.

Use a reputable anti-virus product –

An anti-virus product can conduct frequent security scans and check for malware. They often can clean up any infection that you may already have.

Develop a disaster response plan –

What would you do if you were hacked today? Often, these situations can cause chaos in your organization. Imagine trying to operate today if you were locked out of every computer, companywide. Being proactive and having an incident response plan, know your insurance coverage, who and how do you notify your employees and customers. Do you have a recovery support specialist on speed-dial?

Use good account and network passwords –

Prevention is the key to handling ransomware attacks. I am sure that there are some of you that are using passwords like “Passw0rd!” Change your passwords to use the ‘suggested strong passwords’. With important passwords, consider using two-factor authentication to minimize the threat. A well-designed password system will keep your information safe.

If you are a mid-size or larger Association or MLS, then you may want to consider a security audit from someone who has deep knowledge of real estate industry information security. Matt Cohen, Principal, Advisory Services with CoreLogic Real Estate Solutions is someone you can reach out to for more information. Click here to email Matt.

The post Defending Against Ransomware Attacks and Other Cyber Security Tips appeared first on WAV Group Consulting.

This week – Zillow Group sent a message to their customers indicating that their terms of use have changed. The changes went into effect on November 4th. If you use any of the Zillow Group websites or product, you’d better go and take a look. Here is the link.

You should also take a close look at the Privacy Policy:

https://www.zillowgroup.com/zg-privacy-policy/

I would also strongly recommend that you have your lawyer review them. If you consider your personal data or listing data as an asset, you should be careful when you extend rights to that asset to Zillow Group or any other entity – especially an entity that generates revenue by leveraging your asset.

Here are a few highlights that we are concerned about. You might be too.

Zillow does not claim any responsibility for any consequences that may be caused by the usage of their websites or software application. That blanket statement covers all of their brands and products.

Once you provide data to Zillow, you are prohibited to reuse the data yourself other than limited use. This is outlined under prohibited use, item 5.

Any fee paid for services is not refundable.

Any information uploaded by you has the same effect of providing an irrevocable, free, perpetual license to use, reproduce, modify, or create other stuff using your data. And, as in the past – by submitting your data you guarantee that you have all of the rights to do so and that you are not offending any other persons’ rights. For example, when using a professional photographer to take photos of a home you are marketing, you need to make sure that the photographer has authorized you to give the irrevocable and perpetual license to use that data.
The terms of use gives Zillow an open license to provide your data to third-parties, including your personal information, however they like, and Zillow takes no responsibility at all for anything that may happen to your data in the hands of a third party.

This is a big one – you are entering into an agreement that allows them to make a referral to a real estate professional and to be paid a valuable consideration for facilitating the connection. This is also true of referrals to loan providers, origination services, title, etc. Zillow claims the right to get paid for all of these referrals but is not in any way responsible for any harm that this may cause you or your company. They can even run a credit check through Checkr or Experian and share that information to others.

You do have the right to delete your account and all personal data – but not listing data.

You agree to indemnify Zillow Companies and agree not to receive any direct or indirect damages as a result of your use of their services or the services of any third party.

They make no warranties about their service.

I urge you all to take these terms of use very seriously and to perform your own review alongside your legal review. Be careful out there. These terms of use are your only guardrails to protect you and your data.

The post News Alert – Zillow Publishes New Terms Of Use – Read the Fine Print appeared first on WAV Group Consulting.

Browser security is a big part of the next release of Chrome. A  major impact to websites if it contains mixed content downloads…ie…content that is downloaded from secured and unsecured sites. There are a significant number of websites that have the current warning that they are “Not Secure” even with HTTPS.

Transcript

Today we’re going to talk about a browser that is making some significant changes coming in January of 2021, and that’s going to have an impact to how people view your websites. If you haven’t taken all the precautions that we spoke about so listen in.

Back in March of 2019, the article that we wrote was “This Website is not Secure.”

And in the article. we kind of give you the insight to what does it mean that your website should be secure, what is security, and how can you tell that it’s secure and so forth. So, let’s take a quick look at that article just to kind of refresh ourselves with the content of that article, and kind of really dive deep into one area where one browser is making a big change in January 2021.

Here is the article. We talked a little bit about HTTPS and HTTP what’s the difference. What is secure or not secure website. Non-secure websites are open, in other words, any data that’s being passed back and forth can be read by others. How that it’s important from a consumer’s privacy and security to make sure that you do have a secure website.

Naturally, there is always search engine optimization benefit to make sure that your websites are secure. Google has made it a mandate that all websites, no matter if they are passing content or registration forms or anything like that on them, it should still be secured.

But, what I’m really concerned about and why I really wrote the article was to inform everybody about the impact that it has on your companies brand image.

When people go to your website and if they get some kind of negative response from the browser, that doesn’t reflect very well on the company’s brand. This is why we are really looking at this, because Chrome specifically is making a significant change.

Right now, if you go to Chrome and your go to someone’s website, it might say HTTPS on it, but it still will have this “Not Secure”. Well, what does that mean? The connection to the site is not secure, but it also could mean that maybe some content that is specifically on that website is not secure.

So, in another words, your whole website is HTTPS, but let’s say you have an image coming from a different source and that source isn’t secure, it doesn’t use HTTPS. It’s using HTTP that’s insecure. Right now, Google and the other browsers in this area will let people know that, Hey, you know this site might be somewhat secure, but it’s not all secure and that goes for video, text, PDF files, audio files, and so forth.

So, they’re really looking at all this. And, we kind of talk about that how it looks like in Chrome, how does a website looks like that is secure in Chrome. There is big difference when it comes the brand image. This also extends out to the mobile devices as well.

So, it’s not just browsers. I know we’re just looking at browsers here, but it really also impacts your iPad your iPhones, your Androids, and the tablets.

So, these are just all kinds of things that we talked about back in March of 2019, and why it’s important for you to start looking at it just from a company brand image but.

Chromium Blog – Chrome security roadmap

Here is why I want to, what I’m going to really focus on is what Google is doing with Chrome. We are going to go to this article that was written in February of 2020, so earlier this year, and it’s been updated in April of 2020.

Well, what they’re doing is kind of explaining why they are doing this and why they are making sure that there are no, that, if there are insecure downloads from a server coming to the browser, that they’re going to do something about it. I’m just going to go right down to this little graph right here.

And on the little text bullet points underneath it, which I’m gonna address, try to pull out here. So, this graph here will let you know that as each version of Chrome comes out, the different releases overtime, that they are going to take certain steps.

So, like for instance, in Chrome 85 you know they are now blocking executable such as dot EXE files. So, any link that might be too an EXE file or dot APK file, or whatever type of file, it will block it automatically, especially if it’s coming from a non-secure site.

And that is what they call mixed content downloads. You have some content that is secure and some content that’s not secure.

Well, this is what is really important starting in Chrome 88 and later. Images, audio, and video. Like PNG files, MP3 for audio, MP4 for video, dot MOV for video, dot PDF for Adobe PDF files. Any kind of file like that, is going to be blocked.

In other words, if your site is pulling content from an insecure source or it has mixed content downloads, they are going to block those images.

We’re going to kind of scroll down to this last bullet point here, where you can see this is what’s coming up in January of 2021 on Chrome 88, which is scheduled to be released in January of 2021, will now blocked all mixed content downloads.

So, that’s all your images and so forth and that’s really important, because unfortunately, I kind of took a gander around the real estate space of websites, and you would be surprised on how many sites have mixed content download of secured an unsecured download of images.

And they’re mostly all images, some files. Mostly your core corporate sites, especially on the residential side, are pretty much OK. Especially if you are on a platform like MoxiWorks, or Reliance Networks, Delta Media and others.

But here’s where I find that we are missing the boat on a lot, and that’s on your ancillary service websites. Your mortgage, your title, your insurance, your rentals, and your commercial websites.

I was completely surprised by how many websites that I have went through, and saw that this was a big issue. You know that I’m being notified that there’s mixed content, secure and insecure downloads occurring on a website, on a mortgage website.

How much of a brand negative is that, it really is…I was lost for words to really say “Hey”, it wasn’t just one or two, it was several websites.

So, it doesn’t speak very well for the brand when someone goes to your website and it says not secure. Especially when you’re talking about mortgage. And the worst part about it, it’s really is simple stuff. It’s really just images coming from an insecure site.

All you have to do is secure those servers so that they are delivering content securely. That is why it’s important.

Chrome Market Capture

To end this. Why am I so focused that Chrome is going to do this? I believe the other browsers are also going to eventually follow suit, with Google is doing with Chrome. But, Chrome happens to be, as we will see from this page. BOOM, from StatCounter.com, on browser market share worldwide.

Chrome happens to be close to 66 – 63 percent, at the end of November, of the market share. Substantially a lot more than all the others combined as far as market share goes, so, which means most people use Chrome.

They use Chrome on their tablets, on their mobile devices, and their laptops and desktops. So, it’s very prominent. And, as of January 2021, people are going to start not seeing images if they are coming from an insecure source.

So, what you need to do now over the next 4 weeks, 5 weeks, 6 weeks – before the release of Chrome 88 comes out – is do an audit, really quick. Take a look at all of your websites, including blogs.

That’s the other biggest offender that I found was blogs that are not hosted within your own website platform. They’re hosted through WordPress on an external WordPress site or Drupal or Joomla or PHP or whatever.

I’m finding that a lot of them also have mixed content downloads on them. In other words, there are secured but they have content that is being downloaded to the browser that is insecure. And starting in January 2021 sometime, those downloads are not going to happen.

What you’re going to get? Is you’re customers are going to get pages that will not have images. I know because if those images are coming from an insecure source. It’s they’re just not going to be downloaded it will be blank space

Do your audit take a look and be prepared to take care of it before January of 2021.

Thank you very much for this edition’s insightful tech take care and as always be safe.

Be happy and be better, take care.

References:

The original WAV Group article, “This Website is Not Secure”, that discusses how sites with HTTPS can still be downloading unsecured content.

The roadmap laid out by Google on Chrome’s pathway to ensure all content delivering to the browser is secured – Protecting users from insecure downloads in Google Chrome

Browser market share information provided by StatCounter.com

The post New Web Browser Security Measures Coming IN January 2021 appeared first on WAV Group Consulting.

While the last few months have been challenging, and they have also been a learning experience for everyone. Christopher Callahan, CISO for Weichert Companies, and I have had an extensive conversation on security and business continuity learnings from the pandemic.

Why is this important?

In the business world, Shelter-in-Place (SiP) has displaced the workforce from the safe confines of corporate offices into employee’s homes. I mean, everyone! A full-fledged transformation into a virtual company.

The security exposure and risks have increased significantly across all aspects of the business. Isolation of remote access to the company information is limited to the sales team and a few staff who are road warriors. Now, completion of the firm’s business occurs in little islands of offices — for every employee.

Chris and I discuss pandemic planning topics as part of a business continuity strategy and other security practices. We take a stab at the security risks and new processes and policies that need to be reviewed or implemented.

The design of Insightful Tech is to expose people and technology to the WAV Group’s audience. The intent is to provide interviews, demo’s, and pass on the knowledge I’ve gained to help people do more with technology.

I do want to give Chris a big “Thank you” for participating in my first interview. I appreciate his knowledge, our long-time friendship, and for taking this journey with me.

Please be patient on some of my techniques and equipment. I am figuring this out as I do these videos. Why not keep learning and trying to be better! Anyone who knows me understands incremental gain is my idealogy. I promise to be better and to help others be better too.

The post Security and Business Continuity – Learnings from the Pandemic appeared first on WAV Group Consulting.